This is really more of a feature suggestion.
Over in the Let's Encrypt Community, we frequently see certbot users trying to make changes to their renewal configurations. Some try to edit the files manually, which often results in disaster. Others try to issue a certbot command to make the changes, which we usually recommend to avoid the former situation. The trouble is that in order to have the parameters actually written to a renewal configuration file, a certificate must actually be successfully issued, even if the user only wanted to reinstall their existing certificate! This leads to use of the dreaded --force-renewal parameter and the consequences thereof, which include, but are not limited to: hours of struggle, potential downtime due to hitting Let's Encrypt rate limits, and verbal lashings from some less polite community members that are often accompanied with an RTFM sentence.
It would be awesome if there were some way to run a certbot command to just update the renewal parameters without issuing a certificate. This could then be tested with renew --dry-run. The saving of the renewal parameters could even be contingent upon a successful dry run if deemed necessary.
It would be an added bonus if dry run would actually exercise the deployment hook so it could be tested without forced renewal or waiting two months.
Let's Encrypt Community: griffin
This is really more of a feature suggestion.
Over in the Let's Encrypt Community, we frequently see certbot users trying to make changes to their renewal configurations. Some try to edit the files manually, which often results in disaster. Others try to issue a certbot command to make the changes, which we usually recommend to avoid the former situation. The trouble is that in order to have the parameters actually written to a renewal configuration file, a certificate must actually be successfully issued, even if the user only wanted to reinstall their existing certificate! This leads to use of the dreaded
--force-renewalparameter and the consequences thereof, which include, but are not limited to: hours of struggle, potential downtime due to hitting Let's Encrypt rate limits, and verbal lashings from some less polite community members that are often accompanied with an RTFM sentence.It would be awesome if there were some way to run a certbot command to just update the renewal parameters without issuing a certificate. This could then be tested with
renew --dry-run. The saving of the renewal parameters could even be contingent upon a successful dry run if deemed necessary.It would be an added bonus if dry run would actually exercise the deployment hook so it could be tested without forced renewal or waiting two months.
Let's Encrypt Community: griffin